Tool Release: get-file-info

Over the past few months and years, I’ve developed a number of tools for forensic investigators. These are tools I needed for one reason or another, and actively used over many investigations. Although I’ve mentioned some of them in passing at various points (such as at OSDFC, or in my MFT analysis presentation, many of the tools have never received a formal introduction or release. These posts change that. ref

get-file-info is a tool for inspecting NTFS MFT records. An analyst can use it to review the metadata associated with a file path, including timestamps, attributes, and data runs. You’ll find the tool useful to challenge or confirm artifact interpretations and recover evidence of deleted files.

For more information, please visit the tool page here.

Back